Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
35-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 35 Configuring NAT (ASA 8.2 and Earlier)
NAT Overview
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks. For example, a transparent firewall ASA is useful between two VRFs so you can
establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might
not be supported. In this case, using NAT in transparent mode is essential.
NAT in transparent mode has the following requirements and limitations:
When the mapped addresses are not on the same network as the transparent firewall, then on the
upstream router, you need to add a static route for the mapped addresses that points to the
downstream router (through the ASA).
When you have VoIP or DNS traffic with NAT and inspection enabled, to successfully translate the
IP address inside VoIP and DNS packets, the ASA needs to perform a route lookup. Unless the host
is on a directly-connected network, then you need to add a static route on the ASA for the real host
address that is embedded in the packet.
The alias command is not supported.
Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
ARP inspection is not supported. Moreover, if for some reason a host on one side of the firewall
sends an ARP request to a host on the other side of the firewall, and the initiating host real address
is mapped to a different address on the same subnet, then the real address remains visible in the ARP
request.
Figure 35-2 shows a typical NAT scenario in transparent mode, with the same network on the inside and
outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the
upstream router does not have to perform NAT. When the inside host at 10.1.1.27 sends a packet to a web
server, the real source address of the packet, 10.1.1.27, is changed to a mapped address, 209.165.201.10.
When the server responds, it sends the response to the mapped address, 209.165.201.10, and the ASA
receives the packet because the upstream router includes this mapped network in a static route directed
through the ASA. The ASA then undoes the translation of the mapped address, 209.165.201.10 back to
the real address, 10.1.1.1.27. Because the real address is directly-connected, the ASA sends it directly
to the host.